![\"Schematic](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/01\/09045456\/ecovacs-robot-vacuums-hacked-in-real-life-1.jpeg\")
<\/a>Today\u2019s robot vacuum is a full-fledged computer on wheels Source<\/a><\/p><\/div>\n And of course, the modern robot vacuum has sensors everywhere: infrared, lidar, motion, camera (often several of each), and some models also have microphones for voice control.<\/p>\n The Ecovacs DEEBOT X1 has not only a camera, but an array of microphones Source<\/a><\/p><\/div>\n And naturally, all modern robot vacuums are permanently online and hooked up to the vendor\u2019s cloud infrastructure. In most cases, they communicate aplenty with this cloud \u2014 uploading piles upon piles of data collected during operation.<\/p>\n The first report of vulnerabilities in Ecovacs robot vacuums and lawnmowers surfaced in August 2024, when security researchers Dennis Giese (known for hacking a Xiaomi robot vacuum<\/a>) and Braelynn Luedtke gave a talk at DEF\u00a0CON\u00a032 on reverse engineering and hacking Ecovacs robots<\/a>.<\/p>\n The Ecovacs GOAT G1 can also be equipped with GPS, LTE and a long-range Bluetooth module Source<\/a><\/p><\/div>\n In their talk, Giese and Luedtke described several methods for hacking Ecovacs robot vacuums and the mobile app that owners use to control them. In particular, they found that a potential hacker could access the feed from the robot\u2019s built-in camera and microphone.<\/p>\n This is possible for two reasons. First, if the app is used on an insecure network, attackers can intercept the authentication token and communicate with the robot. Second, although in theory the PIN code set by the device owner secures the video feed, in practice it gets verified on the app side \u2014 so it can be bypassed.<\/p>\n The PIN code for securing the video feed from an Ecovacs robot vacuum is verified on the app side, which makes the mechanism extremely vulnerable Source<\/a><\/p><\/div>\n The researchers also managed to gain root access to the robot\u2019s operating system. They found it was possible to send a malicious payload to the robot via Bluetooth, which in some Ecovacs models gets turned on after a scheduled reboot, while in others it\u2019s on all the time. In theory, encryption should protect against this, but Ecovacs uses a static key that\u2019s the same for all devices.<\/p>\n Armed with this knowledge, an intruder can get root privileges in the operating system of any vulnerable Ecovacs robot and hack it at a distance of up to 50\u00a0meters (~165 feet)\u00a0\u2014 which is precisely what the researchers did. As for robot lawnmowers, these models are hackable at more than 100\u00a0meters (~330 feet) away, since they\u2019ve got more powerful Bluetooth capabilities.<\/p>\n Add to that that, as mentioned already, today\u2019s robot vacuums are full-fledged Linux-based computers, and you can see how attackers can use one infected robot as a means to hack others nearby. In theory, hackers can even create a network-worm to automatically infect robots anywhere in the world.<\/p>\n Bluetooth vulnerability in Ecovacs robots could lead to a chain of infection Source<\/a><\/p><\/div>\n Giese and Luedtke informed Ecovacs about the vulnerabilities they found, but received no response. The company did try to close some of the holes, say the researchers, but with little success and ignoring the most serious vulnerabilities.<\/p>\n It appears that the DEF\u00a0CON talk generated great interest in the hacker community\u00a0\u2014 so much so that someone seems to have taken the attack a step further and deployed it on Ecovacs robot vacuums out in the real world. According to recent reports<\/a>, owners in several U.S. cities had been hit by hackers and made to suffer abuse from their robot servants.<\/p>\n In one incident in Minnesota, an Ecovacs DEEBOT\u00a0X2 started moving by itself and making strange noises. Alarmed, its owner went into the Ecovacs app and saw that someone was accessing the video feed and remote-control feature. Writing it off as a software glitch, he changed the password, rebooted the robot and sat down on the couch to watch TV with his wife and son.<\/p>\n But the robot kicked back into life almost straight away\u00a0\u2014 this time emitting a continuous stream of racial slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it into the garage and left it there. Despite this ordeal, he is grateful that the hackers made their presence so obvious. Far worse, he says, would have been if they\u2019d simply secretly monitored his family through the robot without revealing themselves.<\/p>\n<\/a>Vulnerabilities in Ecovacs robot vacuums and lawn mowers<\/h2>\n
<\/a><\/a><\/a>How the Ecovacs robot vacuums were hacked for real<\/h2>\n
<\/a>